Visualize field value highs and lows
This topic discusses how to use the transforming commands, top and rare, to create charts that display the most and least common values.
The top and rare commands
The top command returns the most frequent values of a specified field in your returned events. The rare command, returns the least common value of a specified field in your returned events. Both commands share the same syntax. If you don't specify a limit, the default number of values displayed in a
rare is ten.
Example 1: Generate a report that sorts through firewall information to list the top 100 destination ports used by your system:
sourcetype=firewall | top limit=100 dst_port
Example 2: Generate a report that shows you the source ports with the lowest number of denials.
sourcetype=firewall action=Deny | rare src_port
A more complex example of the top command
Say you're indexing an alert log from a monitoring system, and you have two fields:
msgis the message, such as
CPU at 100%.
mc_hostis the host that generates the message, such as
How do you get a report that displays the top
msg and the values of
mc_host that sent them, so you get a table like this:
|Messages by mc_host|
|CPU at 100%|
|Log File Alert|
To do this, set up a search that finds the top
limit=1 to only return one) and then
sort by the message
count in descending order:
sourcetype=alert_log | top 1 msg by mc_host | sort count
Create charts that are not (necessarily) time-based
Create reports that display summary statistics
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release), 9.0.2303
Feedback submitted, thanks!